1. Technical Field
The invention concerns a cryptography device, an integrated circuit with a cryptography device, a cryptographic method and a computer program product for carrying out the cryptographic method.
2. Discussion of Related Art
In cryptography the term side channel attack is used to denote any attack based on information gained from the physical implementation of a cryptosystem, so-called side channel information, which is therefore not based on theoretical weaknesses in the algorithms. For example timing information, power consumption, electromagnetic leaks or even sound can respectively provide an additional source of information which can be exploited to break the system. Many side channel attacks require considerable technical knowledge of the internal operations of a cryptosystem in which the cryptography method is implemented.
A distinction is drawn between different kinds of side channel attacks:
Timing attacks are attacks which are based on measuring the time that various computations of the cryptosystem require for implementation.
Architecture side effect attacks are attacks which utilize the side effects in the performance of a computation on a given machine architecture (for example erasing cache lines).
Power consumption measurement attacks are attacks which utilize the changing power consumption of the hardware during computations.
TEMPEST (van Eck or radiation monitoring) attacks are attacks which are based on the leakage of electromagnetic radiation and which provide direct plaintext or other information.
Acoustic cryptoanalysis attacks are attacks which exploit sound as the source of information which is emitted during the computations (similarly to the power consumption measurement attacks).
The underlying principle in all the above-specified cases is that physical effects which are produced while the cryptosystem is operating can provide useful extra information about secrets in the cryptosystem, for example a cryptographic key, in part status information, full or partial plaintext and so forth. The term cryptophthora (secret degradation) is sometimes used to express the degradation of the secret content of the secret key due to side channel leaks.
In a timing attack data movement into and out of the CPU or the memory of the hardware on which the cryptosystem or the algorithm is running is monitored. By observing how long it takes to transfer the key information, it is possible to determine how long the key is at that moment.
Internal computation steps in many cipher implementations provide information about the plaintext or the key. Some of that information can be inferred by the monitored timing. Alternatively, in a timing attack, it is also possible to monitor how long the cryptographic algorithm lasts. That alone can provide sufficient information to be useful in cryptoanalytical terms.
A power consumption attack can provide similar information by monitoring the power lines for the hardware, specifically the CPU. Just as with a timing attack, considerable information can be acquired under some circumstances in relation to some algorithms.
A fundamental and inevitable physical fact is that changes in the flow of current produce radio waves so that whatever is producing current flows—at least in principle—makes a van Eck (so-called TEMPEST) attack possible. If the current flows are structured to distinguishable degrees, which is usually the case, the radiation can be recorded in order to infer information about the operations on the corresponding hardware.
A further inevitable physical fact in circuits is that flowing currents heat the material through which they are flowing. Therefore depending on the respective current flow heat is also continuously dissipated to the environment. By virtue of the law of thermodynamics continually changing thermally induced mechanical stresses are produced in that way. Those stresses are the main causes of low level sound emissions from computing CPUs. It is conceivable that information about the computations of cryptosystems and algorithms can also be acquired in that way.
If the surface of the CPU chip or in some cases the casing of the CPU can be monitored, infrared images can also provide information about the operations which the CPU is performing. This is known as a thermal imaging attack.
A further form of side channel attacks is power analysis in which the attacker analyzes the current consumption of cryptographic hardware such as a smart card, a manipulation-secure black box, a microchip etc. The power analysis can provide information as to what a device is just doing and can even supply material of the key.
Differential power analysis is an expansion of power analysis, which can allow the attacker to compute intermediate values of data blocks and key blocks.
Viewing graphs of time and current which a cryptosystem consumes can often exactly show what the cryptosystem is doing at a given time.
The currents flowing through a cryptosystem are usually low. However electrical laboratories usually have devices for measuring them precisely enough, reliably and frequently. It is reasonable for a developer of a cryptosystem to assume that an adversary has access to such devices.
Power analysis does not look for weaknesses in the algorithms or protocols than rather in their implementations. It affords a possible way of “looking into” hardware which is otherwise manipulation-secure. For example a DES key processing plan includes 28 bit key registers rotating. To save time most embodiments simply check the least significant bit to see whether it is a 1. If that is the case it divides the register by two and attaches the 1 at the left-hand end. Power analysis can make clear the difference between a register with a 1 and a register with a 0, if that happens. That can expose information about the key used. DES permutations which are frequently simply implemented in software terms even offer still more information by virtue of decision branches.
Differential power analysis (DPA) is a method of attacking a cryptosystem in which the changing power consumption of microprocessors during the execution of cryptographic programs is utilized. It is also a side channel attack. By investigating a statistical analysis of the measured power consumption during many runs of a given cryptographic algorithm it may be possible to obtain information about the secret key stored on a smart card if the implementation of the algorithm is not DPA-manipulation-secure.
Another known countermeasure includes changes to the algorithm so that the cryptographic operations are applied to data which, with the instantaneous value, are in a mathematical relationship which survives the cryptographic operations. That is referred to as camouflaging and uses an algorithm based on number theory like factorizing or discrete logarithms.
U.S. Pat. No. 6,724,894 describes a method of protection from side channel attacks, specifically from differential power analysis, in which temporary keys are produced, by the secret key being modified with a random number. In a first step the message to be encrypted is encrypted with the temporary key. Thereafter a further function is applied to the message, which implements encryption, that encryption being identical to that which can be achieved directly with the unmodified key. That has the advantage that the information which is susceptible to side channel attacks varies continually with the random number and in that case the susceptibility of the cryptosystem to side channel attacks is reduced. It will be noted however that in this case it is necessary to produce a random number which as is known involves difficulties. Furthermore the complication and effort involved in encryption and decryption is greater if the random number becomes great. A further disadvantage is that the system is based on frequent changes in the temporary key because otherwise an attacker can calculate the secret key if the user does not change the key sufficiently frequently. Furthermore the same key is used at least during encryption of a message.
DE 100 61 997 A1 describes a cryptography processor with a central processing unit and a co-processor, wherein the co-processor includes a plurality of subcomputing devices arranged in parallel and a single control unit coupled to each of the plurality of subcomputing devices. In that case the control unit provides that an exclusive useful data computation is distributed to the individual subcomputing devices, in the form of suboperations which are to be performed in parallel and/or serial mode.
DE 100 61 998 A1 describes a cryptography processor having a plurality of co-processors, a central processing unit for control of the plurality of co-processors and a bus for connecting each co-processor to the central processing unit. In that case each co-processor has a control unit, a plurality of registers and an arithmetic unit. The cryptography processor is in the form of a multifunctional processor and can be used either for useful data computations or for dummy computations, but not at the same time for both kinds of computation.
The object of the invention is to provide a cryptography device and a method of encrypting or decrypting data, which each reduce the susceptibility to side channel attacks in a simple fashion.